Check out the new USENIX Web site. next up previous
Next: Token-Mediated Certification and Electronic Up: Session I: Hardware Tokens Previous: Session I: Hardware Tokens

Tamper Resistance - A Cautionary Note

Ross Anderson, Cambridge University; Markus Kuhn, Purdue University

Markus Kuhn began by pointing out that, while cryptographic security usually assumes that attackers can't get at the secret keys or observe the computations, current distributed and mobile applications such as pay TV access control give attackers plenty of access to the hardware. He stated that he would discuss hardware security and tamper resistance in terms of three classes of potential attackers: clever outsiders, knowledgeable insiders, and funded organizations.

Markus then described a host of simple attacks on the physical security of smart cards. The tamper resistant coating on the Motorola smart card chip can be dissolved with $30 worth of fuming nitric acid and acetone. Access to software stored in standard microcontrollers is generally prevented by setting an irreversible security fuse bit, but a UV EPROM eraser can be used to reset the security fuse and the software can then be read. Special smart card security processors usually have a melt fuse as the security bit, but a well-equipped lab can often repair the fuse. For many microcontrollers voltage attacks can successfully reset the security bit. Other techniques for accessing the software include timing analysis, applying heat gradually to toggle EEPROM bits, and recording current leakage. It is also possible to change single instructions by signal glitches such as increasing the clock frequency; for example, a loop control variable can be changed causing additional memory content to be output.

Markus stated that all these attacks are feasible even for clever outsiders. Knowledgeable insiders and funded organizations who have resources up to $50,000 may have access to tools such as microprobing workstations and laser cutters for breaking connections and removing the passivation layer. If they have up to $1,000,000 available, they may use electron beam testing for reading bus signals, focused ion beam workstations for making new connections on the chip, and selective dry etching. If they have even more resources, they may use tools like automatic layout reconstructions to recreate circuit diagrams, electro-optic sampling and IR rear access.

Markus concluded by stating that the moral is not to blindly trust manufacturer claims about tamper resistance, avoid global secrets, reduce the importance of tamper resistance whenever possible, use fault-tolerant machine code in smart cards, implement fallback modes and insist on in-depth hostile review of designs.

next up previous
Next: Token-Mediated Certification and Electronic Up: Session I: Hardware Tokens Previous: Session I: Hardware Tokens
Alma Whitten